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REMARKS 

The Non-Final Office Action, mailed December 19, 2008, considered and rejected claims 
24-32, 34, and 36. Claims 24 and 34 were objected to because of informalities. Claims 24, 25, 
27-32, 34, and 36 were rejected imder 35 U.S.C. 103(a) as being unpatentable over Bamett (U.S. 
Patent No. 6,772,157) hereinafter Bamett, in view of Schmuck (U.S. Patent No. 6,021,508) 
hereinafter Schmuck. Claim 26 was rejected under 35 U.S.C. 103(a) as being unpatentable over 
Bamett in view of Schmuck, fiirther in view of Anglin (U.S. Publ. No. 2004/0199521) 
hereinafter Anglin. 

By this amendment, claims 24-26, 34, and 36 are amended and claims 37-43 are new.^ 
Claims 29-32 are cancelled. Accordingly, claims 24-28 and 34-43 are pending of which claims 
24 and 34 are the independent claims at issue. 

The invention is generally directed to zone based security administration for data entities. 
For example, claim 24 recites a method of splitting the one or more non-overlapping security 
zones into a plurality of non-overlapping security zones to facilitate more efficient delegation of 
administrative rights to principals. Claims 1 recites identifying a grouping of data items and 
method items in the combined item hierarchy for which new common security rules are to be 
enforced. The identified grouping of data items and method items are currently included in an 
existing non-overlapping zone fi-om among the one or more non-overlapping zones. Existing 
common security rules are enforced within the existing non-overlapping zone and the new 
common security rules differing fi-om the existing common security rules. 

A processor re-configures the one or more non-overlapping security zones so that 
administrative rights can be delegated at a granularity that is finer than an entire database but yet 
coarse enough so as to not require delegation for each item. Re-configuring includes splitting the 
existing non-overlapping security zone into a new non-overlapping security zone and a remnant 
of the existing non-overlapping security zone. The arrangement of the new non-overlapping 
security zone relative to the renmant of the existing non-overlapping security zone is based on 
the location of the identified grouping of data items and method items within the combined item 
hierarchy. The new non-overlapping security zone is for containing the identified grouping of 



' Support for the amendments to the claims are found throughout the originally filed specification and previously 
presented claims, including but not limited to paragraphs [022], [023], [032]-[041], [062]and Figures 1, 2, 3, 4, and 
6. 
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data items and methods items. The remnant of the existing non-overlapping security zone 
contains at least one data item or method item from the existing non-overlapping security zone. 
Accordingly, splitting is restricted in such a way as to prevent overlapping between security 
zones and such that none of the data items and method items are included in more than one 
security zone. Re-configuring also includes adjusting data properties of each of the items in the 
identified grouping of data items and method items to represent that the identified grouping of 
data items and method items are contained in the new non-overlapping security zone. 

For any principals that had existing administrative rights in the existing non-overlapping 
security zone based on the existing common security rules being enforced in the existing non- 
overlapping security zone at the time the existing non-overlapping zone was split, those 
administrative rights are retained. Thus, the administrative rights are retained in the identified 
grouping of data items and methods items, subsequent to splitting the existing non-overlapping 
security zone and subsequent to adjusting data properties to represent that the identified grouping 
of data items and methods items are contained in the new non-overlapping security zone. Claim 
1 then recites specifying that one or more additional principals have other administrative rights in 
the identified grouping of data items and method items based on the new common security rules. 
Rights in the data items and methods items are specified by specifying that the one or more 
additional principals have the other administrative rights to the new non-overlapping security 
zone in accordance with the new common security rules, the other administrative rights differing 
fi-om the existing administrative rights. 

Claim 34 is a computer program product claim corresponding to the method of claim 24. 

Applicants respectfully submit that the cited art of record does not anticipate or otherwise 
render the amended claims unpatentable for at least the reason that the cited art does not disclose, 
suggest, or enable each and every element of these claims. 

Burnett describes delegated administration of information in a database directory. A 
delegated administration tool comprises a domain definition component that enables an 
administrator to define a community of users and divide it into at least one administrative 
domain. Each administrative domain is defined to include a group of users that form the domain. 
(Abstract and Col. 8, 11. 8-16). Administrators with delegation authority can also use the domain 
definition component and the administration privileges component to define sub-domains and 
rights within those sub-domains. (Col. 8, 11. 41-50). 
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An administrative domain is a managed object that comprises a set of users, a set of user 
attributes which can be modified, and a set of allowable values for those data fields over which 
and administrator has authority. (Col. 5, 11. 9-12). An administrator that has delegation 
authority over a domain can delegate authority further, for example, as a sub-domain. (Col. 6, 11. 
19-23). However, an administrator can not change the nature of an operational domain. For 
example, an administrator may not add or remove attributes firom the domain and may not 
include or exclude users by defining additional rules or patterns. Also, an administrator may not 
delegate authority to a user that is outside the operational domain. (Col. 6, 11. 53-63). 

A database directory contains the various information for users in all of the domains that 
forma a community. The database directory can include a variety of different types of user data. 
The database directory can also include information of physical devices and services. (Col. 4, 11. 
24-38, Col. 9, 11. 57-59, and Col. 10. 11. 1-19). An administrator can access the database 
directory to create sub-domains, assign a user authority for a domain, administer domain 
parameters, edit query rules for a domain, modify or delete authority for a domain, edit user's 
attributes for a domain, view a user's attributes for a domain, and delete users for a domain 
through a user interface. (See Figures 7-14d). 

However, Burnett is silent with respect to the organizational structure of the data within 
the database directory. That is, Bamett indicates different types of data in database directory 52, 
but does not provide an indication of the arrangement of different portions of data relative to one 
another. Apphcants submit that the arrangement in Figures 1 and 2 is essentially an organization 
chart of a user community, but does not indicate how data within each sub-domain (which is 
stored in the database directory) is arranged. Further, even assuming arguendo that Figures 1 
and 2 do represent an arrangement of data in a database directory, there is no indication that 
different sub-domains can be grouped across different portions of the organizational chart for 
more efficient administration of the user community. For example, there is no indication that 
local clinic, radiology, and hospital can be grouped and/or administered in a uniform manner. 
Conversely, Bamett teaches that a user commimity for Medical Services Provider X is sub- 
divided so that administration can be delegated the user community. 

Schmuck describes a parallel file system and method for independent data login. Multiple 
different file systems can utilize disks in a parallel manner. However, Schmuck fails to 
compensate for the deficiencies of Bamett. 
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Accordingly, the cited are fails to teach or suggest, either singly or in combination: 

an act of the processor re-configuring the one or more non-overlapping 
security zones so that administrative rights can be delegated at a granularity that is 
finer than an entire database but yet coarse enough so as to not require delegation 
for each item, including: 

an act of splitting the existing non-overlapping security zone into a 
new non-overlapping security zone and a renmant of the existing non- 
overlapping security zone, the arrangement of the new non-overlapping 
security zone relative to the remnant of the existing non-overlapping 
security zone based on the location of the identified grouping of data items 
and method items within the combined item hierarchy, the new non- 
overlapping security zone for containing the identified grouping of data 
items and methods items, the remnant of the existing non-overlapping 
security zone containing at least one data item or method item from the 
existing non-overlapping security zone, wherein said splitting is restricted 
in such a way as to prevent overlapping between security zones and such 
that none of the data items and method items are included in more than 
one security zone; and 

an act of adjusting data properties of each of the items in the 
identified grouping of data items and method items to represent that the 
identified grouping of data items and method items are contained in the 
new non-overlapping security zone; 

for any principals that had existing administrative rights in the existing 
non-overlapping security zone based on the existing common security rules being 
enforced in the existing non-overlapping security zone at the time the existing 
non-overlapping zone was split, an act of retaining those existing administrative 
rights in the new non-overlapping security zone, including in the identified 
grouping of data items and methods items, subsequent to splitting the existing 
non-overlapping security zone and subsequent to adjusting data properties to 
represent that the identified grouping of data items and methods items are 
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contained in the new non-overlapping security zone; and 

an act of specifying that one or more additional principals have other 
administrative rights in the identified grouping of data items and method items 
based on the new common security rules by specifying that the one or more 
additional principals have the other administrative rights to the new non- 
overlapping security zone in accordance with the new common security rules, the 
other administrative rights differing from the existing administrative rights, 
as recited in claim 24, when viewed in combination with the other limitations of claim 24. For at 
least this reason claim 24 patentable defines over the art of record. For at least this same reason, 
claim 34 also patentably defines over the art of record. The dependent claims also patentably 
define over the art of record at least for the same reason as their corresponding base claim. 

In view of the foregoing. Applicant respectfully submits that all the rejections to the 
independent claims are now moot and that the independent claims are now allowable over the 
cited art, such that any of the remaining rejections and assertions made, particularly with respect 
to all of the dependent claims, do not need to be addressed individually at this time. It will be 
appreciated, however, that this should not be construed as Applicant acquiescing to any of the 
purported teachings or assertions made in the last action regarding the cited art or the pending 
application, including any official notice, and particularly with regard to the dependent claims.^ 

The Commissioner is hereby authorized to charge payment of any of the following fees 
that may be applicable to this communication, or credit any overpayment, to Deposit Account 
No. 23-3178: (1) any filing fees required under 37 CFR § 1.16; and/or (2) any patent apphcation 
and reexamination processing fees under 37 CFR § 1.17. 



^ Instead, Applicant reserves the right to challenge any of the purported teachings or assertions made in tiie last 
action at any appropriate time in the fiiture, should the need arise. Furthermore, to tiie extent that the Examiner has 
relied on any Official Notice, exphcitly or impHcitly, Applicant specifically requests that the Examiner provide 
references supporting any official notice taken. Furthermore, although the prior art status of the cited art is not being 
challenged at this time. Applicant reserves the right to challenge the prior art status of the cited art at any appropriate 
time, should it arise. Accordingly, any arguments and amendments made herein should not be construed as 
acquiescing to any prior art status of the cited art. 
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In the event that the Examiner finds remaining impediment to a prompt allowance of this 
application that may be clarified through a telephone interview, the Examiner is requested to 
contact the undersigned attorney at (801) 533-9800. 



Dated this 18"" day of March, 2009. 




RICKD.NYDEGGER 
Registration No. 28,651 
MICHAELS. DODD 
Registration No. 46,437 
Attorneys for Applicant 
Customer No. 047973 
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